Author: Dylan Yu
System bugs at several chain hotels in China led to data breach of an estimated 20 million hotel reservations in 2013; personal data of 130,000 users of 12306.cn, a website for booking train tickets, were wildly circulated on the Internet in 2014; a hacker attack on the backbone network of Netease caused massive service outage on 11 May 2015, and many mobile apps and online games were inaccessible as a result; on 27 May a massive breakdown hit Alipay because optical fibers were destroyed, and the disruptions lasted about 90 minutes; on 28 May Ctrip’s official website and mobile app were blocked for 12 hours. Increasing frequency of cyberattacks has sounded the alarm on cybersecurity. As Internet applications are expanding to a wider spectrum and cyber threats are escalating, the demand for cybersecurity insurance has been on the rise. More and more enterprises hope to buy the insurance to get protections against potential financial losses to be caused by data leak and business interruptions.
Enormous market demand for cybersecurity insurance. According to the 2015 Report on Internet Development and Security issued by the Internet Society of China and China Internet Network Information Centre, there were 3.647 million websites registered in China as at the end of December 2014, and the number has stopped falling and started to rise in the recent three years. In the meanwhile, however, cybersecurity has become a prominent headache for China, as hacker attacks and controls cause tens of billions of dollars in economic losses every year, and the figure keeps going up. The growing threats bring enormous development potential to the cybersecurity insurance market.
According to an underwriting manager at an insurance company, a 2016 survey showed only 10 percent of SMEs worldwide believe their businesses are too small to be targets of cyber crimes, down seven percentage points from 2015.
China’s cybersecurity insurance market is still in its infancy. The market is virtually negligible compared to China’s huge potential demand for cybersecurity insurance. According to a report released by PricewaterhouseCoopers, total premium income for the global cybersecurity insurance market is estimated to reach US$5 billion by 2018, and US$7.5 billion by 2020, although the market is largely uneven at different regions. The United States dominates 90 percent of the global cybersecurity insurance market, Asia Pacific accounts for 1 percent, and the Chinese market is still in the initial stage of development.
Insurers must be mindful of some problems when underwriting cybersecurity insurance. Development of cybersecurity insurance is subject to a country’s social climate, legal environment and talent conditions. China is still a distant laggard in the development pace of cybersecurity insurance compared to well-developed foreign insurance markets, where a comprehensive insurance system and a sound legal & regulatory framework have been in place. Here are some suggestions to insurance companies from the perspective of product development, insurance underwriting and insurance compensation.
Firstly, insurance companies should build reliable economic models to gauge the risk of cyber attacks. Development of insurance products requires big data analysis, but big data used for cybersecurity purposes are very scarce in China because its cybersecurity insurance market still needs more time to take shape. Cybersecurity insurance was created in the 1990s and has developed well in advanced regions like North America.
Chinese insurers can study overseas cybersecurity insurance market and take into account domestic market conditions to develop cybersecurity insurance products. If necessary, they can purchase economic models that can measure the risk of cyber attacks from professional companies to gain an early foothold in the market.
Secondly, insurers must define the scope of insurance liability. At present, most cybersecurity insurance products cover economic losses, personal injuries and property losses caused by cybersecurity incidents, such as human errors, deliberate malicious attacks as well as software bugs.
Since cyber attacks are technically sophisticated and could be caused by multiple factors, insurance companies should take into consideration various factors that might result in losses to the assets insured when devising insurance policies. They should specify which losses are covered by the insurance and which are exclusions. Insurance companies are also advised to roll out targeted insurance products so as to narrow the insurance coverage and reduce insurance risk.
Finally, insurers should define the types of insured losses. Cybersecurity insurance covers such losses as caused by business interruptions, actual business losses, data recovery expenses as well as privacy losses. These losses are hard to be accurately measured, and insurance claims are hard to be justified.
Insurance companies are advised to specify which losses are covered by the cybersecurity insurance and require the insured to present papers and files to justify its claims, so as to avert disputes when the claims are being processed. When the losses cannot be reliably measured, the insurance company can either refuse to compensate or cap the amount of compensation so as to keep losses under control.
In conclusion, as a new product on the market, cybersecurity insurance is bound to face many unpredictable challenges. But more and more insurance companies are going to set foothold in the untapped gold mine as the Internet market grows, legal framework improves and corporate demand increases. In order to get the upper hand, an insurance company must survey the market and make full preparations in the early stage.